function/src/online_decrypt.rs - incubator-teaclave - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.

 extern crate base64;
 use anyhow::{anyhow, bail, Result};
 use ring::aead::*;
 use std::convert::TryFrom;
 use std::str;
 use teaclave_types::{FunctionArguments, FunctionRuntime};

 #[derive(Default)]
 pub struct OnlineDecrypt;

 #[derive(serde::Deserialize)]
 struct OnlineDecryptArguments {
     key: String,
     nonce: String,
     encrypted_data: String,
     algorithm: String,
 }

 impl TryFrom<FunctionArguments> for OnlineDecryptArguments {
     type Error = anyhow::Error;

     fn try_from(arguments: FunctionArguments) -> Result<Self, Self::Error> {
         use anyhow::Context;
         serde_json::from_str(&arguments.into_string()).context("Cannot deserialize arguments")
     }
 }

 fn decrypt(
     key: &[u8],
     nonce_data: &[u8],
     data: &mut Vec<u8>,
     alg: &'static ring::aead::Algorithm,
 ) -> anyhow::Result<()> {
     let key = LessSafeKey::new(UnboundKey::new(alg, key).map_err(|_| anyhow!("decryption error"))?);
     let nonce = Nonce::try_assume_unique_for_key(&nonce_data[0..12])
         .map_err(|_| anyhow!("decryption error"))?;
     key.open_in_place(nonce, Aad::empty(), data)
         .map_err(|_| anyhow!("decryption error"))?;
     data.truncate(data.len() - alg.tag_len());
     Ok(())
 }

 fn decrypt_string_base64(
     key: &str,
     nonce_str: &str,
     encrypted: &str,
     alg: &'static ring::aead::Algorithm,
 ) -> anyhow::Result<String> {
     let decoded_key = base64::decode(key)?;
     let nonce = base64::decode(nonce_str)?;
     let mut data_vec = base64::decode(encrypted)?;

     decrypt(&decoded_key, &nonce, &mut data_vec, alg).map_err(|_| anyhow!("decryption error"))?;
     let string = str::from_utf8(&data_vec).map_err(|_| anyhow!("base64 decoded error"))?;

     Ok(string.to_string())
 }

 impl OnlineDecrypt {
     pub const NAME: &'static str = "builtin_online_decrypt";

     pub fn new() -> Self {
         Default::default()
     }

     pub fn run(
         &self,
         arguments: FunctionArguments,
         _runtime: FunctionRuntime,
     ) -> anyhow::Result<String> {
         let args = OnlineDecryptArguments::try_from(arguments)?;
         let key = args.key;
         let nonce = args.nonce;
         let encrypted_data = args.encrypted_data;
         let algorithm = &args.algorithm[..];

         let alg = match algorithm {
             "aes128gcm" => &AES_128_GCM,
             "aes256gcm" => &AES_256_GCM,
             _ => bail!("Invalid algorithm"),
         };

         let result = decrypt_string_base64(&key, &nonce, &encrypted_data, alg)?;
         Ok(result)
     }
 }

 #[cfg(feature = "enclave_unit_test")]
 pub mod tests {
     use super::*;
     use serde_json::json;
     use teaclave_runtime::*;
     use teaclave_test_utils::*;
     use teaclave_types::*;

     pub fn run_tests() -> bool {
         run_tests!(test_online_decrypt)
     }

     fn test_subroutine(args: FunctionArguments, result: &str) {
         let input_files = StagedFiles::default();
         let output_files = StagedFiles::default();
         let runtime = Box::new(RawIoRuntime::new(input_files, output_files));
         let function = OnlineDecrypt;
         let summary = function.run(args, runtime).unwrap();
         assert_eq!(summary, result);
     }

     fn test_online_decrypt() {
         let args1 = FunctionArguments::from_json(json!({
             "key": "aqUdgZ0lJnuz9yiPkoDxM6ZcTcVVpd4KKLqzbHD88Lg=",
             "nonce": "AAECAwQFBgcICQoL",
             "encrypted_data": "CaZd8qSMMlBp8SjSXj2I4dQIuC9KkZ5DI/ATo1sWJw==",
             "algorithm": "aes256gcm"
         }))
         .unwrap();
         test_subroutine(args1, "Hello Teaclave!");

         let args2 = FunctionArguments::from_json(json!({
             "key": "aqUdgZ0lJnuz9yiPkoDxMw==",
             "nonce": "AAECAwQFBgcICQoL",
             "encrypted_data": "OqMscYqxk1CshHQZulTrrDlJjS/v6BE/clWJyTerUw==",
             "algorithm": "aes128gcm"
         }))
         .unwrap();
         test_subroutine(args2, "Hello Teaclave!");
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.

	extern crate base64;
	use anyhow::{anyhow, bail, Result};
	use ring::aead::*;
	use std::convert::TryFrom;
	use std::str;
	use teaclave_types::{FunctionArguments, FunctionRuntime};

	#[derive(Default)]
	pub struct OnlineDecrypt;

	#[derive(serde::Deserialize)]
	struct OnlineDecryptArguments {
	key: String,
	nonce: String,
	encrypted_data: String,
	algorithm: String,
	}

	impl TryFrom<FunctionArguments> for OnlineDecryptArguments {
	type Error = anyhow::Error;

	fn try_from(arguments: FunctionArguments) -> Result<Self, Self::Error> {
	use anyhow::Context;
	serde_json::from_str(&arguments.into_string()).context("Cannot deserialize arguments")
	}
	}

	fn decrypt(
	key: &[u8],
	nonce_data: &[u8],
	data: &mut Vec<u8>,
	alg: &'static ring::aead::Algorithm,
	) -> anyhow::Result<()> {
	let key = LessSafeKey::new(UnboundKey::new(alg, key).map_err(\|_\| anyhow!("decryption error"))?);
	let nonce = Nonce::try_assume_unique_for_key(&nonce_data[0..12])
	.map_err(\|_\| anyhow!("decryption error"))?;
	key.open_in_place(nonce, Aad::empty(), data)
	.map_err(\|_\| anyhow!("decryption error"))?;
	data.truncate(data.len() - alg.tag_len());
	Ok(())
	}

	fn decrypt_string_base64(
	key: &str,
	nonce_str: &str,
	encrypted: &str,
	alg: &'static ring::aead::Algorithm,
	) -> anyhow::Result<String> {
	let decoded_key = base64::decode(key)?;
	let nonce = base64::decode(nonce_str)?;
	let mut data_vec = base64::decode(encrypted)?;

	decrypt(&decoded_key, &nonce, &mut data_vec, alg).map_err(\|_\| anyhow!("decryption error"))?;
	let string = str::from_utf8(&data_vec).map_err(\|_\| anyhow!("base64 decoded error"))?;

	Ok(string.to_string())
	}

	impl OnlineDecrypt {
	pub const NAME: &'static str = "builtin_online_decrypt";

	pub fn new() -> Self {
	Default::default()
	}

	pub fn run(
	&self,
	arguments: FunctionArguments,
	_runtime: FunctionRuntime,
	) -> anyhow::Result<String> {
	let args = OnlineDecryptArguments::try_from(arguments)?;
	let key = args.key;
	let nonce = args.nonce;
	let encrypted_data = args.encrypted_data;
	let algorithm = &args.algorithm[..];

	let alg = match algorithm {
	"aes128gcm" => &AES_128_GCM,
	"aes256gcm" => &AES_256_GCM,
	_ => bail!("Invalid algorithm"),
	};

	let result = decrypt_string_base64(&key, &nonce, &encrypted_data, alg)?;
	Ok(result)
	}
	}

	#[cfg(feature = "enclave_unit_test")]
	pub mod tests {
	use super::*;
	use serde_json::json;
	use teaclave_runtime::*;
	use teaclave_test_utils::*;
	use teaclave_types::*;

	pub fn run_tests() -> bool {
	run_tests!(test_online_decrypt)
	}

	fn test_subroutine(args: FunctionArguments, result: &str) {
	let input_files = StagedFiles::default();
	let output_files = StagedFiles::default();
	let runtime = Box::new(RawIoRuntime::new(input_files, output_files));
	let function = OnlineDecrypt;
	let summary = function.run(args, runtime).unwrap();
	assert_eq!(summary, result);
	}

	fn test_online_decrypt() {
	let args1 = FunctionArguments::from_json(json!({
	"key": "aqUdgZ0lJnuz9yiPkoDxM6ZcTcVVpd4KKLqzbHD88Lg=",
	"nonce": "AAECAwQFBgcICQoL",
	"encrypted_data": "CaZd8qSMMlBp8SjSXj2I4dQIuC9KkZ5DI/ATo1sWJw==",
	"algorithm": "aes256gcm"
	}))
	.unwrap();
	test_subroutine(args1, "Hello Teaclave!");

	let args2 = FunctionArguments::from_json(json!({
	"key": "aqUdgZ0lJnuz9yiPkoDxMw==",
	"nonce": "AAECAwQFBgcICQoL",
	"encrypted_data": "OqMscYqxk1CshHQZulTrrDlJjS/v6BE/clWJyTerUw==",
	"algorithm": "aes128gcm"
	}))
	.unwrap();
	test_subroutine(args2, "Hello Teaclave!");
	}
	}